--- title: Fixes in AM 7.3.x description: This page lists the cumulative fixes in AM 7.3.x releases: component: pingam version: release-notes page_id: pingam::fixes-7.3 canonical_url: https://docs.pingidentity.com/pingam/release-notes/fixes-7.3.html section_ids: am_7_3_3: AM 7.3.3 am_7_3_2: AM 7.3.2 am_7_3_1: AM 7.3.1 am_7_3_0: AM 7.3.0 --- # Fixes in AM 7.3.x This page lists the cumulative fixes in AM 7.3.x releases: ## AM 7.3.3 | | | | ------------ | ------------------------------------------------------------------------------------------------------------ | | OPENAM-23519 | Android devices without a screen lock not working with WebAuthn registration | | OPENAM-23518 | AuthenticateToTreeConditionAdvice doesn't work with Inner Tree as first node | | OPENAM-23441 | Enabling OAuth2 client option "Allow wildcard ports in redirect URIs" prevents application URIs from working | | OPENAM-22846 | External app/policy store active/passive LB isn't working | | OPENAM-22654 | BooleanAttributeInputCallback renders an enabled checkbox in AM XUI | | OPENAM-22608 | Non-extractable secrets in HSM fails to work on AM for SAML2 XML signing | | OPENAM-21026 | OAuth Clients don't work when the redirect uri list contains an invalid uri | | OPENAM-20451 | Fix to display user-friendly account name during WebAuthn device registration | | OPENAM-15834 | Access token call fails when an unsupported claim is requested | ## AM 7.3.2 | | | | ------------ | ---------------------------------------------------------------------------------------------------------------- | | OPENAM-22836 | Unable to update KBA Security questions using XUI | | OPENAM-22753 | Destroy All session may fail to work | | OPENAM-22717 | SP-initiated SSO fails with "Illegal character in scheme name" when IdP name contains a special character | | OPENAM-22696 | Persistent search notification invalidation on AD identity store doesn't invalidate user cached attributes | | OPENAM-22656 | Setting `JWKs URI content cache timeout` to a small value throws an error | | OPENAM-22632 | AMSetupServlet install error with Windows multi-domain environment | | OPENAM-22602 | OIDC ID Token Validator node uses own `httpClient` settings to connect to JWK or well-known URL | | OPENAM-22421 | Webauthn: Windows Hello TPM Attestation failing for Windows 11 22H2 | | OPENAM-22391 | Issues with `evaluateTree` when using wildcard policies | | OPENAM-22322 | Unable to verify signed ArtifactResponse Assertion leading to failure | | OPENAM-22318 | OAUTH\_REQUEST\_ATTRIBUTES cookie isn't getting deleted after authentication | | OPENAM-22289 | Session quota action may fail when the session isn't updatable but should be fine to proceed | | OPENAM-22288 | Amster upgrade 7.3.0-to-7.3.x fails with Groovy Exception | | OPENAM-22181 | Approve UMA request fails with 500 error when AM deployed as a platform | | OPENAM-22120 | Backchannel logout token doesn't contain `exp` claim | | OPENAM-21972 | SAML artifact binding is failing in load-balanced deployments | | OPENAM-21937 | Quota enforcement affects agent sessions that authenticate by tree | | OPENAM-21897 | Creation order determines policy evaluate and evaluateTree results | | OPENAM-21473 | Certificate collector node: `getPortalStyleCert` throws exception when cert/header not present | | OPENAM-21322 | AM console allows creation of entity provider with space at the end of the name | | OPENAM-21191 | Web agent sessions have a long session lifetime of 42 years | | OPENAM-21085 | Undefined bindings are incorrectly evaluated in Groovy scripts | | OPENAM-20945 | Unable to trace token revocation back to resource owner because of missing `trackingID` field | | OPENAM-20314 | Social Provider Handler node and Social IdP service use the `sub` claim to search for links to existing accounts | | OPENAM-20299 | Fix to make agent authentication honor `com.iplanet.am.session.agentSessionIdleTime` | | OPENAM-19261 | Fix incorrectly logged errors when introspecting tokens using OAuth 2.0 client credentials grant | ## AM 7.3.1 | | | | ------------ | -------------------------------------------------------------------------------------------------------------- | | OPENAM-22017 | ConfigProviderNode creates node class dynamically leading to native memory leak | | OPENAM-21976 | Single point of locking contention when performing client-based session logout | | OPENAM-21941 | Unable to edit policies in the UI | | OPENAM-21854 | TermsAndConditionsCallback fails with error on XUI | | OPENAM-21747 | Rest SDK and Amster send cookies if request has cookie header | | OPENAM-21728 | Certificate module fails using JDK 11.0.21 and later with undefined access to private method | | OPENAM-21484 | Introspecting OAuth 2.0 refresh tokens results in different claim value types in the response | | OPENAM-21421 | Scripting logger name isn't based on logging hierarchy convention | | OPENAM-21390 | ConsumedStateDataCache can cache an incomplete set of reachability data when on multi-AM environment | | OPENAM-21304 | OAuth 2.0 dynamic client registrations don't retain `request_uri` values when creating | | OPENAM-21277 | Running Amster in debug mode doesn't work on Windows | | OPENAM-21164 | Calling `toXMLString` in custom SAML adapter can return incorrectly formatted XML leading to invalid signature | | OPENAM-21160 | Inconsistent values in secure state when navigating an authentication tree | | OPENAM-21158 | Windows Hello registration fails on TPM attestation parsing on Windows 11 22H2 | | OPENAM-21069 | WindowsDesktopSSO authentication is failing | | OPENAM-21030 | Amster 7.3.0 CLI isn't working on Windows | | OPENAM-21010 | Social authentication for remote OIDC server for user profile non-english words corrupted | | OPENAM-21004 | AM will always look for valid session when scope=openid | | OPENAM-21001 | IdPAccountMapper is not correctly determined | | OPENAM-20980 | Unable to use issuer comparison check regex in oidc social provider | | OPENAM-20897 | Debug logs not showing info for `ERROR: Unsupported Callback, "{0}"` and others | | OPENAM-20895 | Newly-created Maven archetype project fails to build | | OPENAM-20756 | OIDC social authentication request (Apple) fails due to duplicate `response_mode=form_post` request parameter | | OPENAM-20691 | Destroy oldest session may fail to work | | OPENAM-20682 | Unable to encrypt from `jwk_uri` when there are duplicate `kid` | | OPENAM-20490 | AESWrapEncryption shows "WARN: AESWrap-encrypted data is less than 16 bytes" | | OPENAM-20026 | Trailing whitespace prevents social provider deletion via UI | | OPENAM-19999 | ID token as AM session doesn't work with `/authorize` when openid scope is requested | | OPENAM-19889 | Policy evaluation fails with agent access token JWT as subject | | OPENAM-19282 | Recovery Code Display Node works only immediately after Registration node | | OPENAM-18599 | Allow for custom error message if user account is locked | ## AM 7.3.0 | | | | ------------ | ------------------------------------------------------------------------------------------------------------------- | | OPENAM-20396 | Authentication tree is selected by order of acr to tree mapping, not the default values, and order is not preserved | | OPENAM-20360 | Ampersand is double encoded in the Destination of a SAML Assertion | | OPENAM-20260 | Unable to log into AM when external application store is down | | OPENAM-20230 | Class allowlisting fails with permission denied after an extended period | | OPENAM-20181 | AD account notification fails | | OPENAM-20159 | Upgrader adds requestObjectProcessing to OAuth2Provider subconfigs | | OPENAM-20104 | The `fragment` response\_mode for the /oauth2/authorize endpoint is not working | | OPENAM-20085 | STS token generation does not work with clustered docker pods | | OPENAM-20082 | Locked out users are shown a misleading error message | | OPENAM-19868 | Correctly handle multi-line text in Email Suspend nodes | | OPENAM-19866 | Excessive logging when accessing protected resources | | OPENAM-19726 | The `par` endpoint doesn't return a `request_uri` when using JAR and claims are provided | | OPENAM-19665 | Wrong Java version in Amster README file | | OPENAM-19515 | Unable to update session service with read only identity store | | OPENAM-19411 | Amster installation failure with authorizedKey parameter when trying to overwrite an existing configuration | | OPENAM-18818 | Persistent search error message shows wrong DS identifier | | OPENAM-18488 | Windows Hello with TPM/platform authenticator returns two certificates | | OPENAM-18172 | Multiple instances of "No Social Authentication Service found for realm" logged at WARNING level | | OPENAM-17215 | Policy debug log fills up at very high pace if the config store is not found | | OPENAM-13766 | No configuration found for login with SessionConditionAdvice=deny |